This is actually on a Windows Server 2003 box. Any thoughts on how to install NET::LDAP on a Windows box? I'm sorry, I'm not a PERL expert at all.
Thanks. -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Edward Kovarski Sent: Monday, September 24, 2007 2:28 PM To: User questions and discussions about OTRS.org Subject: Re: [otrs] Re: LDAP Authentication using Microsoft ActiveDirectoryserver Mike, For Unix, as per http://doc.otrs.org/2.2/en/html/x354.html, you would need Net::LDAP. To install the module via CPAN, you'd type in: perl -MCPAN -e 'install Net::LDAP' or, alternatively some Unices allow: cpan Net::LDAP To answer your second question, you'd login via "username" or specifically the sAMAccountName LDAP attribute in Active Directory. Ed On 24-Sep-07, at 2:57 PM, Michael Holland wrote: > Robert and or anyone that can assist. 2 quick questions... > > > > Do you have any instructions on how to install the correct PERL > Ldap modules? > When you login to OTRS do you use the username or domain\username? > > > > > Thanks for any help offered. I have been chasing this issue for > well over a month. > > > > Mike Holland > > > > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On > Behalf Of Robert Aldridge > Sent: Monday, September 24, 2007 11:43 AM > To: User questions and discussions about OTRS.org > Subject: Re: [otrs] Re: LDAP Authentication using Microsoft Active > Directoryserver > > > > Edward, > > Thanks for the suggestion. I copied your configuration and now > have both agents and customers successfully logging in with > authentication against our AD server. > > Thanks!!! > > Robert > > On 9/24/07, Edward Kovarski <[EMAIL PROTECTED]> wrote: > > > Robert, > > I would suggest trying to simplify the configurations by removing the > AlwaysFilter and specifying the root of your Active Directory as the > BaseDN. Once it authenticates properly you can start customizing and > narrowing the BaseDN scope. > > Here is an excerpt from Config.pm which I just tested on our dev > environment as we don't use the customer interface in production. It > properly authenticated and pulled in all the proper values into > OTRS... > > # --- Customer --- > $Self->{'Customer::AuthModule'} = > 'Kernel::System::CustomerAuth::LDAP'; > $Self->{'Customer::AuthModule::LDAP::Host'} = ' ad.groupkae.com'; > $Self->{'Customer::AuthModule::LDAP::BaseDN'} = > 'ou=Customer,dc=ad,dc=groupkae,dc=com'; > $Self->{'Customer::AuthModule::LDAP::UID'} = 'sAMAccountName'; > $Self->{'Customer::AuthModule::LDAP::SearchUserDN'} = > '[EMAIL PROTECTED]'; > $Self->{'Customer::AuthModule::LDAP::SearchUserPw'} = 'password'; > > $Self->{CustomerUser} = { > Module => 'Kernel::System::CustomerUser::LDAP', > Params => { > Host => 'ad.groupkae.com', > BaseDN => 'ou=Customer,dc=ad,dc=groupkae,dc=com', > SSCOPE => 'sub', > UserDN =>'[EMAIL PROTECTED]', > UserPw => 'password', > }, > > CustomerKey => 'sAMAccountName', > CustomerID => 'mail', > CustomerUserListFields => ['sAMAccountName', 'cn', 'mail'], > CustomerUserSearchFields => ['sAMAccountName', 'cn', 'mail'], > CustomerUserSearchPrefix => '', > CustomerUserSearchSuffix => '*', > CustomerUserSearchListLimit => 250, > CustomerUserPostMasterSearchFields => ['mail'], > CustomerUserNameFields => ['givenname', 'sn'], > Map => [ > [ 'UserFirstname', 'Firstname', 'givenname', 1, 1, 'var' ], > [ 'UserLastname', 'Lastname', 'sn', 1, 1, 'var' ], > [ 'UserLogin', 'Login', 'sAMAccountName', 1, 1, 'var' ], > [ 'UserEmail', 'Email', 'mail', 1, 1, 'var' ], > [ 'UserCustomerID', 'CustomerID', 'mail', 0, 1, 'var' ], > [ 'UserPhone', 'Phone', 'telephonenumber', 1, 0, 'var' ], > ], > }; > > On 24-Sep-07, at 10:42 AM, Robert Aldridge wrote: > > > Thanks for the suggestion, Edward. Changing the SearchUserDN to > > <username>@<domain> continues to work for the agent login. I still > > haven't been able to get the customer login working. Any hints? > > Here's my current LDAP portion of Config.pm: > > > > $Self->{'AuthModule'} = 'Kernel::System::Auth::LDAP'; > > $Self->{'AuthModule::LDAP::Host'} = ' ldapserver.domain.com '; > > $Self->{'AuthModule::LDAP::BaseDN'} = 'ou=Group of > > Users,dc=domain,dc=com'; > > $Self->{'AuthModule::LDAP::UID'} = 'sAMAccountName'; > > $Self->{'AuthModule::LDAP::SearchUserDN'} = ' [EMAIL PROTECTED]'; > > $Self->{'AuthModule::LDAP::SearchUserPw'} = '********'; > > > > $Self->{'Customer::AuthModule'} = > > 'Kernel::System::CustomerAuth::LDAP'; > > $Self->{'Customer::AuthModule::LDAP::Host'} = ' > > ldapserver.domain.com'; > > $Self->{'Customer::AuthModule::LDAP::BaseDN'} = 'ou=Group of > > Users,dc=domain,dc=com'; > > $Self->{'Customer::AuthModule::LDAP::UID'} = 'sAMAccountName'; > > $Self->{'Customer::AuthModule::LDAP::SearchUserDN'} = ' > > [EMAIL PROTECTED]'; > > $Self->{'Customer::AuthModule::LDAP::SearchUserPW'} = > '********'; > > > > $Self->{CustomerUser} = { > > Module => 'Kernel::System::CustomerUser::LDAP', > > Params => { > > Host => ' ldapserver.domain.com', > > BaseDN => 'ou=Group of Users,dc=domain,dc=com', > > SSCOPE => 'sub', > > AlwaysFilter => '(&(sAMAccountName=*)(mail=*))', > > UserDN => '[EMAIL PROTECTED]', > > UserPW => '********', > > }, > > CustomerKey => 'sAMAccountName', > > CustomerID => 'mail', > > CustomerUserListFields => ['sAMAccountName', 'cn', 'mail'], > > CustomerUserSearchFields => ['sAMAccountName', 'cn', 'mail'], > > CustomerUserPostMasterSearchFields => ['mail'], > > CustomerUserNameFields => ['givenname', 'sn'], > > Map => [ > > # note: Login, Email and CustomerID needed! > > # var, frontend, storage, shown, required, storage-type > > # [ 'UserSalutation', 'Title', 'title', 1, 0, 'var' ], > > [ 'UserFirstName', 'Firstname', 'givenname', 1, 1, 'var' ], > > [ 'UserLastName', 'Lastname', 'sn', 1, 1, 'var' ], > > [ 'UserLogin', 'Login', 'sAMAccountName', 1, 1, 'var' ], > > [ 'UserEmail', 'Email', 'mail', 1, 1, 'var' ], > > [ 'UserCustomerID', 'CustomerID', 'mail', 0, 1, 'var' ], > > ], > > }; > > > > # UserSyncLDAPMap > > # (map if agent should create/synced from LDAP to DB after > login) > > $Self->{UserSyncLDAPMap} = { > > # DB -> LDAP > > Firstname => 'givenName', > > Lastname => 'sn', > > Email => 'mail', > > }; > > > > # UserSyncLDAPGroups > > # (If "LDAP" was selected for AuthModule, you can specify > initial > > # user groups for first login.) > > $Self->{UserSyncLDAPGroups} = [ > > 'users', > > ]; > > > > > > > > > > On 9/21/07, Edward Kovarski < [EMAIL PROTECTED]> wrote: > > Robert, > > > > You may also try <username>@<domain> which is the new Microsoft > style > > for specifying users within domains. This is what we use in > > configuration... > > > > Ed > > > > On 21-Sep-07, at 2:48 PM, Robert Aldridge wrote: > > > > > Finally got it working... > > > > > > I changed every entry of: > > > > > > 'cn=OTRS Admin,ou=Tuscaloosa - Sheet Mill,dc=tsteel,dc=com'; > > > > > > to: > > > > > > 'tsteel\OTRS' > > > > > > and, to pull user data to the local DB, I added: > > > > > > # UserSyncLDAPMap > > > # (map if agent should create/synced from LDAP to DB after > > login) > > > $Self->{UserSyncLDAPMap} = { > > > # DB -> LDAP > > > Firstname => 'givenName', > > > Lastname => 'sn', > > > Email => 'mail', > > > }; > > > > > > # UserSyncLDAPGroups > > > # (If "LDAP" was selected for AuthModule, you can specify > > initial > > > # user groups for first login.) > > > $Self->{UserSyncLDAPGroups} = [ > > > 'users', > > > ]; > > > > > > > > > Perhaps this will help someone else who's trying to set OTRS up > > > with Microsoft Active Directory. > > > > > > Thanks, > > > > > > Robert Aldridge > > > > > > > > > > > > On 9/21/07, Robert Aldridge < [EMAIL PROTECTED]> wrote: Hi > folks, > > > > > > First let me say that OTRS appears to be a great product! > Kudos to > > > the developers! > > > > > > We are in the process of evaluating our options for a helpdesk/ > > > trouble-ticket system. I would really like to give OTRS a good > > > evaluation, but I'm having some problems. Our chosen solution > must > > > be able to authenticate users (both agents and customers) via > > > Microsoft Active Directory. It appears that this is possible, but > > > I've yet to have any success. I'll outline the steps I've taken > > > and solicit any input from the community. > > > > > > OTRS is working fine when authenticating against it's own > > > database. Here's what I've done to try to authenticate against > AD: > > > > > > I edited Kernel/Config.pm and added: > > > > > > <begin additions to Config.pm> > > > > > > $Self->{'AuthModule'} = 'Kernel::System::Auth::LDAP'; > > > $Self->{'AuthModule::LDAP::Host'} = ' lincoln.tsteel.com'; > > > $Self->{'AuthModule::LDAP::BaseDN'} = 'ou=Tuscaloosa - Sheet > > > Mill,dc=tsteel,dc=com'; > > > $Self->{'AuthModule::LDAP::UID'} = 'sAMAccountName'; > > > $Self->{'AuthModule::LDAP::SearchUserDN'} = 'cn=OTRS > > > Admin,ou=Tuscaloosa - Sheet Mill,dc=tsteel,dc=com'; > > > $Self->{'AuthModule::LDAP::SearchUserPw'} = 'password'; > > > > > > $Self->{'Customer::AuthModule'} = > > > 'Kernel::System::CustomerAuth::LDAP'; > > > $Self->{'Customer::AuthModule::LDAP::Host'} = ' > > > lincoln.tsteel.com'; > > > $Self->{'Customer::AuthModule::LDAP::BaseDN'} = 'ou=Tuscaloosa > > > - Sheet Mill,dc=tsteel,dc=com'; > > > $Self->{'Customer::AuthModule::LDAP::UID'} = 'sAMAccountName'; > > > $Self->{'Customer::AuthModule::LDAP::SearchUserDN'} = 'cn=OTRS > > > Admin,ou=Tuscaloosa - Sheet Mill,dc=tsteel,dc=com'; > > > $Self->{'Customer::AuthModule::LDAP::SearchUserPW'} = > > 'password'; > > > > > > $Self->{CustomerUser} = { > > > Module => 'Kernel::System::CustomerUser::LDAP', > > > Params => { > > > Host => ' lincoln.tsteel.com ', > > > BaseDN => 'ou=Tuscaloosa - Sheet Mill,dc=tsteel,dc=com', > > > SSCOPE => 'sub', > > > UserDN => 'cn=OTRS Admin,ou=Tuscaloosa - Sheet > > > Mill,dc=tsteel,dc=com', > > > UserPW => 'password', > > > }, > > > CustomerKey => 'sAMAccountName', > > > CustomerID => 'mail', > > > CustomerUserListFields => 'sAMAccountName', 'cn', 'mail', > > > CustomerUserSearchFields => 'sAMAccountName', 'cn', 'mail', > > > CustomerUserPostMasterSearchFields => 'mail', > > > CustomerUserNameFields => 'givenname', 'sn', > > > Map => [ > > > [ 'UserFirstName', 'Firstname', 'givenname', 1, 1, 'var' ], > > > [ 'UserLastName', 'Lastname', 'sn', 1, 1, 'var' ], > > > [ 'UserLogin', 'Login', 'sAMAccountName', 1, 1, 'var' ], > > > [ 'UserEmail', 'Email', 'mail', 1, 1, 'var' ], > > > [ 'UserCustomerID', 'CustomerID', 'mail', 0, 1, 'var' ], > > > ], > > > }; > > > > > > <end additions to Config.pm> > > > > > > > > > On my AD box, I ran: ldifde -f users.ldf -d "OU=Tuscaloosa - Sheet > > > Mill,dc=tsteel,dc=com" -r "<objectClass=user>" > > > > > > Which returned a listing of all users in the Tuscaloosa - Sheet > > > Mill org unit. Within the users.ldf file (output from the above > > > command), there's an entry for OTRS Admin: > > > > > > <begin snippet from users.ldf> > > > > > > dn: CN=OTRS,OU=Tuscaloosa - Sheet Mill,DC=tsteel,DC=com > > > changetype: add > > > objectClass: top > > > objectClass: person > > > objectClass: organizationalPerson > > > objectClass: user > > > cn: OTRS > > > sn: Admin > > > givenName: OTRS > > > distinguishedName: CN=OTRS,OU=Tuscaloosa - Sheet > > > Mill,DC=tsteel,DC=com > > > instanceType: 4 > > > whenCreated: 20070920125829.0Z > > > whenChanged: 20070921135825.0Z > > > displayName: OTRS > > > uSNCreated: 8512826 > > > uSNChanged: 8549454 > > > name: OTRS > > > objectGUID:: po7FpWyIxEWWQeiUc9XMwA== > > > userAccountControl: 66048 > > > badPwdCount: 0 > > > codePage: 0 > > > countryCode: 0 > > > badPasswordTime: 128347689772801250 > > > lastLogoff: 0 > > > lastLogon: 128347693211238750 > > > pwdLastSet: 128347667099207500 > > > primaryGroupID: 513 > > > objectSid:: AQUAAAAAAAUVAAAApR5XA/l+DSsgfDsl4xwAAA== > > > accountExpires: 9223372036854775807 > > > logonCount: 0 > > > sAMAccountName: OTRS > > > sAMAccountType: 805306368 > > > userPrincipalName: [EMAIL PROTECTED] > > > objectCategory: > > > CN=Person,CN=Schema,CN=Configuration,DC=tsteel,DC=com > > > dSCorePropagationData: 20070921135825.0Z > > > dSCorePropagationData: 20070921135825.0Z > > > dSCorePropagationData: 20070921135825.0Z > > > dSCorePropagationData: 20070921131751.0Z > > > dSCorePropagationData: 16010108151056.0Z > > > lastLogonTimestamp: 128347680934676250 > > > > > > > > > <end snippet from users.ldf> > > > > > > > > > With this configuration, when I attempt to login as an agent using > > > my username (which I know is valid in AD), it errors out with: > > > > > > Login failed! Your username or password was entered incorrectly. > > > > > > And, when I revert the Config.pm back (so I can log in) and check > > > the system log, I see: > > > > > > User: raldridge authentication failed, no LDAP entry found! > > > BaseDN='ou=Tuscaloosa - Sheet Mill,dc=tsteel,dc=com', > > > Filter='(sAMAccountName=raldridge)', (REMOTE_ADDR: 10.1.1.50). > > > > > > Any help would be greatly appreciated. > > > > > > Thanks, > > > > > > Robert Aldridge > > > > > > _______________________________________________ > > > OTRS mailing list: otrs - Webpage: http://otrs.org/ > > > Archive: http://lists.otrs.org/pipermail/otrs > > > To unsubscribe: http://lists.otrs.org/cgi-bin/listinfo/otrs > > > Support or consulting for your OTRS system? > > > => http://www.otrs.com/ > > > > > > _______________________________________________ > > OTRS mailing list: otrs - Webpage: http://otrs.org/ > > Archive: http://lists.otrs.org/pipermail/otrs > > To unsubscribe: http://lists.otrs.org/cgi-bin/listinfo/otrs > > Support or consulting for your OTRS system? > > => http://www.otrs.com/ > > _______________________________________________ > OTRS mailing list: otrs - Webpage: http://otrs.org/ > Archive: http://lists.otrs.org/pipermail/otrs > To unsubscribe: http://lists.otrs.org/cgi-bin/listinfo/otrs > Support or consulting for your OTRS system? > => http://www.otrs.com/ > > > > _______________________________________________ > OTRS mailing list: otrs - Webpage: http://otrs.org/ > Archive: http://lists.otrs.org/pipermail/otrs > To unsubscribe: http://lists.otrs.org/cgi-bin/listinfo/otrs > Support or consulting for your OTRS system? > => http://www.otrs.com/ _______________________________________________ OTRS mailing list: otrs - Webpage: http://otrs.org/ Archive: http://lists.otrs.org/pipermail/otrs To unsubscribe: http://lists.otrs.org/cgi-bin/listinfo/otrs Support or consulting for your OTRS system? =http://www.otrs.com/ _______________________________________________ OTRS mailing list: otrs - Webpage: http://otrs.org/ Archive: http://lists.otrs.org/pipermail/otrs To unsubscribe: http://lists.otrs.org/cgi-bin/listinfo/otrs Support or consulting for your OTRS system? => http://www.otrs.com/
